Defying tunneling: A Wicked approach to detecting malicious network traffic

This report analyzes December 2024 malware configuration data (over 150,000 samples) to show that multiple RAT families commonly use reverse tunneling services and dynamic DNS providers to hide C2 infrastructure; notable domain preferences include ply.gg (Playit), duckdns.org, portmap.host, and No-IP domains. The authors describe their methodology (VirusTotal parsing and Synapse pivots), present per-family domain usage, and recommend detection/mitigation steps such as DNS sinkholing, allowlisting needed DDNS providers, and monitoring/blocking tunneling services while balancing business needs.